diff --git a/.github/actions/build_aws_eif/action.yaml b/.github/actions/build_aws_eif/action.yaml
index f17523a44..92ebe8d9a 100644
--- a/.github/actions/build_aws_eif/action.yaml
+++ b/.github/actions/build_aws_eif/action.yaml
@@ -116,6 +116,8 @@ runs:
docker cp amazonlinux:/sockd ${ARTIFACTS_OUTPUT_DIR}/
docker cp amazonlinux:/vsockpx ${ARTIFACTS_OUTPUT_DIR}/
docker cp amazonlinux:/${{ inputs.identity_scope }}operator.eif ${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif
+
+ docker cp amazonlinux:/gvproxy ${ARTIFACTS_OUTPUT_DIR}/
docker cp amazonlinux:/pcr0.txt ${{ steps.buildFolder.outputs.BUILD_FOLDER }}
docker cp amazonlinux:/pcr0.txt ${ARTIFACTS_OUTPUT_DIR}/
diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml
index 1a7bca316..1c0c017a3 100644
--- a/.github/actions/build_eks_docker_image/action.yaml
+++ b/.github/actions/build_eks_docker_image/action.yaml
@@ -87,7 +87,6 @@ runs:
shell: bash
working-directory: ${{ inputs.artifacts_output_dir }}
run: |
- ls -al
VERSION_NUMBER=$(cat ./version_number.txt)
echo "VERSION_NUMBER=$VERSION_NUMBER" >> $GITHUB_OUTPUT
echo "Version Number: " $VERSION_NUMBER
diff --git a/.github/workflows/publish-aws-nitro-eif.yaml b/.github/workflows/publish-aws-nitro-eif.yaml
index 8783f6829..fc701ffcc 100644
--- a/.github/workflows/publish-aws-nitro-eif.yaml
+++ b/.github/workflows/publish-aws-nitro-eif.yaml
@@ -50,7 +50,7 @@ jobs:
- name: Update Operator Version
id: update_version
- uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@main
+ uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@cbc-UID2-4553-replace-vsock-with-gvisor
with:
release_type: ${{ inputs.release_type }}
version_number_input: ${{ inputs.version_number_input }}
@@ -68,9 +68,36 @@ jobs:
runs-on: ubuntu-latest
needs: start
steps:
+ - name: Free disk space
+ run: |
+ sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
+ sudo rm -rf \
+ /usr/share/dotnet /usr/local/lib/android /opt/ghc \
+ /usr/local/share/powershell /usr/share/swift /usr/local/.ghcup || true
+ echo "some directories deleted"
+ sudo apt install aptitude -y >/dev/null 2>&1
+ sudo aptitude purge aria2 ansible azure-cli shellcheck rpm xorriso zsync \
+ esl-erlang firefox gfortran-8 gfortran-9 google-chrome-stable \
+ google-cloud-sdk imagemagick \
+ libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
+ mercurial apt-transport-https mono-complete libmysqlclient \
+ unixodbc-dev yarn chrpath libssl-dev libxft-dev \
+ libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev \
+ snmp pollinate libpq-dev postgresql-client powershell ruby-full \
+ sphinxsearch subversion mongodb-org azure-cli microsoft-edge-stable \
+ -y -f >/dev/null 2>&1
+ sudo aptitude purge google-cloud-sdk -f -y >/dev/null 2>&1
+ sudo aptitude purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+ sudo apt purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+ sudo aptitude purge '~n ^mysql' -f -y >/dev/null 2>&1
+ sudo aptitude purge '~n ^php' -f -y >/dev/null 2>&1
+ sudo aptitude purge '~n ^dotnet' -f -y >/dev/null 2>&1
+ sudo apt-get autoremove -y >/dev/null 2>&1
+ sudo apt-get autoclean -y >/dev/null 2>&1
+ echo "some packages purged"
- name: Build UID2 AWS EIF
id: build_uid2_eif
- uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+ uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@cbc-UID2-4553-replace-vsock-with-gvisor
with:
identity_scope: uid2
artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2
@@ -102,11 +129,38 @@ jobs:
buildEUIDEIF:
name: Build EUID EIF
runs-on: ubuntu-latest
- needs: start
+ needs: [start, buildUID2EIF]
steps:
+ - name: Free disk space
+ run: |
+ sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
+ sudo rm -rf \
+ /usr/share/dotnet /usr/local/lib/android /opt/ghc \
+ /usr/local/share/powershell /usr/share/swift /usr/local/.ghcup || true
+ echo "some directories deleted"
+ sudo apt install aptitude -y >/dev/null 2>&1
+ sudo aptitude purge aria2 ansible azure-cli shellcheck rpm xorriso zsync \
+ esl-erlang firefox gfortran-8 gfortran-9 google-chrome-stable \
+ google-cloud-sdk imagemagick \
+ libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
+ mercurial apt-transport-https mono-complete libmysqlclient \
+ unixodbc-dev yarn chrpath libssl-dev libxft-dev \
+ libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev \
+ snmp pollinate libpq-dev postgresql-client powershell ruby-full \
+ sphinxsearch subversion mongodb-org azure-cli microsoft-edge-stable \
+ -y -f >/dev/null 2>&1
+ sudo aptitude purge google-cloud-sdk -f -y >/dev/null 2>&1
+ sudo aptitude purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+ sudo apt purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+ sudo aptitude purge '~n ^mysql' -f -y >/dev/null 2>&1
+ sudo aptitude purge '~n ^php' -f -y >/dev/null 2>&1
+ sudo aptitude purge '~n ^dotnet' -f -y >/dev/null 2>&1
+ sudo apt-get autoremove -y >/dev/null 2>&1
+ sudo apt-get autoclean -y >/dev/null 2>&1
+ echo "some packages purged"
- name: Build EUID AWS EIF
id: build_euid_eif
- uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+ uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@cbc-UID2-4553-replace-vsock-with-gvisor
with:
identity_scope: euid
artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid
diff --git a/.gitignore b/.gitignore
index 1e5d984cc..ee5409d66 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ e2e-target
*.iml
# Ignore generated credentials from google-github-actions/auth
gha-creds-*.json
+opt/*
\ No newline at end of file
diff --git a/Dockerfile.nitro.builder b/Dockerfile.nitro.builder
index 23aaba22b..13978d3e2 100644
--- a/Dockerfile.nitro.builder
+++ b/Dockerfile.nitro.builder
@@ -1,10 +1,21 @@
-FROM ubuntu:22.04
+FROM golang:1.23.0 AS go-build
+
+WORKDIR /build
+
+RUN git clone https://github.com/containers/gvisor-tap-vsock.git \
+ && cd gvisor-tap-vsock \
+ && make \
+ && cd .. \
+ && cp gvisor-tap-vsock/bin/gvproxy ./gvproxy \
+ && cp gvisor-tap-vsock/bin/gvforwarder ./gvforwarder
+
+FROM ubuntu:22.04 AS main
ENV enclave_platform="aws-nitro"
# install build-essential, openjdk, maven, git
RUN apt-get update -y \
- && apt-get install -y curl -y build-essential pkg-config libssl-dev cmake openjdk-21-jdk maven git \
+ && apt-get install -y curl -y build-essential pkg-config libssl-dev cmake openjdk-21-jdk maven golang-go git \
&& rm -rf /var/lib/apt/lists/*
# install rust
@@ -31,3 +42,5 @@ RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
&& mkdir uid2-aws-enclave-vsockproxy/build \
&& (cd uid2-aws-enclave-vsockproxy/build; cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo; make; cd ../..) \
&& cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx
+
+COPY --from=go-build /build/gvforwarder ./gvforwarder
\ No newline at end of file
diff --git a/Makefile.eif b/Makefile.eif
index c50b59b57..d22e0888c 100644
--- a/Makefile.eif
+++ b/Makefile.eif
@@ -13,11 +13,11 @@ all: build_eif
build_eif: uid2operator.eif euidoperator.eif
-uid2operator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/Dockerfile build/load_config.py build/make_config.py
+uid2operator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/gvforwarder build/Dockerfile build/load_config.py build/make_config.py
cd build; docker build -t uid2operator . --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./uid2operator.tar uid2operator; docker cp ./uid2operator.tar amazonlinux:/uid2operator.tar; rm -f ./uid2operator.tar
docker exec amazonlinux bash aws_nitro_eif.sh uid2operator
-euidoperator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/Dockerfile build/load_config.py build/make_config.py
+euidoperator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/gvforwarder build/Dockerfile build/load_config.py build/make_config.py
cd build; docker build -t euidoperator . --build-arg IDENTITY_SCOPE='EUID' --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./euidoperator.tar euidoperator; docker cp ./euidoperator.tar amazonlinux:/euidoperator.tar; rm -f ./euidoperator.tar
docker exec amazonlinux bash aws_nitro_eif.sh euidoperator
diff --git a/pom.xml b/pom.xml
index 69634018d..216d96f84 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
com.uid2
uid2-operator
- 5.43.4
+ 5.43.31-alpha-161-SNAPSHOT
UTF-8
diff --git a/scripts/aws/Dockerfile b/scripts/aws/Dockerfile
index e210001c3..f7532b75a 100644
--- a/scripts/aws/Dockerfile
+++ b/scripts/aws/Dockerfile
@@ -20,13 +20,15 @@ COPY ./syslog-ng-ose-pub.asc /app/dep/
RUN echo "deb http://security.ubuntu.com/ubuntu focal-security main" | tee -a /etc/apt/sources.list \
&& apt update -y \
- && apt install -y pkg-config libssl-dev libssl1.1 net-tools curl jq netcat python3 python3-pip libcap2 libivykis0 libjson-c5 libnet1 libwrap0 \
+ && apt install -y pkg-config libssl-dev libssl1.1 net-tools curl jq netcat python3 python3-pip libcap2 libivykis0 libjson-c5 libnet1 libwrap0 busybox udhcpc\
&& apt-key add /app/dep/syslog-ng-ose-pub.asc \
&& apt-get install /app/dep/syslog-ng-core_4.6.0-1_amd64.deb \
&& rm -rf /var/lib/apt/lists/* \
&& apt-key del 6694369F
RUN pip3 install boto3==1.16.9
+COPY ./gvforwarder /app
+
COPY ./target/${JAR_NAME}-${JAR_VERSION}-jar-with-dependencies.jar /app/${JAR_NAME}-${JAR_VERSION}.jar
COPY ./static /app/static
COPY ./libjnsm.so /app/lib/
diff --git a/scripts/aws/eks-pod/Dockerfile b/scripts/aws/eks-pod/Dockerfile
index de1a30af5..7e5aac62a 100644
--- a/scripts/aws/eks-pod/Dockerfile
+++ b/scripts/aws/eks-pod/Dockerfile
@@ -10,6 +10,7 @@ ARG SYSLOG_NG_LOGROTATE_RPM="syslog-ng-logrotate-4.7.1.104.gcc5a7d9-1.amzn2023.x
COPY ./sockd /home/
COPY ./sockd_eks.conf /etc/sockd.conf
COPY ./vsockpx /home
+COPY ./gvproxy /home
COPY ./${IVYKIS_RPM} /home/syslog-ng/
COPY ./${LIBNET_RPM} /home/syslog-ng/
COPY ./${PUBKEY} /home/syslog-ng/
diff --git a/scripts/aws/eks-pod/entrypoint.sh b/scripts/aws/eks-pod/entrypoint.sh
index 2dc0483e2..72a84ed0b 100644
--- a/scripts/aws/eks-pod/entrypoint.sh
+++ b/scripts/aws/eks-pod/entrypoint.sh
@@ -32,6 +32,9 @@ function setup_vsockproxy() {
echo "starting vsock proxy at $VSOCK_PROXY with $VSOCK_THREADS worker threads..."
$VSOCK_PROXY -c $VSOCK_CONFIG --workers $VSOCK_THREADS --log-level $VSOCK_LOG_LEVEL --daemon
echo "vsock proxy now running in background."
+
+ /home/gvproxy -listen vsock://:1024 -listen unix:///tmp/network.sock &
+ curl --unix-socket /tmp/network.sock http:/unix/services/forwarder/expose -X POST -d '{"local":":80","remote":"192.168.127.2:8080"}' &
}
function setup_dante() {
diff --git a/scripts/aws/eks-pod/proxies.host.yaml b/scripts/aws/eks-pod/proxies.host.yaml
index 5a2ae0623..c26aad6b9 100644
--- a/scripts/aws/eks-pod/proxies.host.yaml
+++ b/scripts/aws/eks-pod/proxies.host.yaml
@@ -5,11 +5,6 @@ socks5h-proxy:
listen: vsock://-1:3305
connect: tcp://127.0.0.1:3306
-operator-service:
- service: direct
- listen: tcp://0.0.0.0:80
- connect: vsock://42:8080
-
operator-prometheus:
service: direct
listen: tcp://0.0.0.0:9080
diff --git a/scripts/aws/entrypoint.sh b/scripts/aws/entrypoint.sh
index 37214388b..95c34def2 100755
--- a/scripts/aws/entrypoint.sh
+++ b/scripts/aws/entrypoint.sh
@@ -18,6 +18,10 @@ ifconfig lo 127.0.0.1
echo "Starting vsock proxy..."
/app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3
+# -- gvisor forwarder
+/app/gvforwarder -debug -url vsock://3:1024/connect &
+sleep 5
+
# -- load config from identity service
echo "Loading config from identity service via proxy..."
diff --git a/scripts/aws/pipeline/amazonlinux.Dockerfile b/scripts/aws/pipeline/amazonlinux.Dockerfile
index 90f6d0505..0daa94fe7 100644
--- a/scripts/aws/pipeline/amazonlinux.Dockerfile
+++ b/scripts/aws/pipeline/amazonlinux.Dockerfile
@@ -5,7 +5,7 @@ RUN yum -y update
# systemd is not a hard requirement for Amazon ECS Anywhere, but the installation script currently only supports systemd to run.
# Amazon ECS Anywhere can be used without systemd, if you set up your nodes and register them into your ECS cluster **without** the installation script.
RUN yum -y groupinstall "Development Tools"
-RUN yum -y install systemd vim-common wget git tar
+RUN yum -y install systemd vim-common wget git tar go
RUN yum clean all
RUN yum -y install cmake cmake3
@@ -47,6 +47,13 @@ RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
&& cd uid2-aws-enclave-vsockproxy/build; cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo; make; cd ../.. \
&& cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx
+RUN git clone https://github.com/containers/gvisor-tap-vsock.git \
+ && cd gvisor-tap-vsock \
+ && make \
+ && cd .. \
+ && cp gvisor-tap-vsock/bin/gvproxy ./gvproxy \
+ && cp gvisor-tap-vsock/bin/gvforwarder ./gvforwarder
+
COPY ./scripts/aws/pipeline/aws_nitro_eif.sh /aws_nitro_eif.sh
CMD ["/usr/sbin/init"]
diff --git a/scripts/aws/pipeline/amazonlinux2023.Dockerfile b/scripts/aws/pipeline/amazonlinux2023.Dockerfile
index 79bcd66df..d53fe0dac 100644
--- a/scripts/aws/pipeline/amazonlinux2023.Dockerfile
+++ b/scripts/aws/pipeline/amazonlinux2023.Dockerfile
@@ -5,7 +5,7 @@ RUN dnf update -y
# systemd is not a hard requirement for Amazon ECS Anywhere, but the installation script currently only supports systemd to run.
# Amazon ECS Anywhere can be used without systemd, if you set up your nodes and register them into your ECS cluster **without** the installation script.
RUN dnf -y groupinstall "Development Tools" \
- && dnf -y install systemd vim-common wget git tar libstdc++-static.x86_64 cmake cmake3 aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel \
+ && dnf -y install systemd vim-common wget git tar libstdc++-static.x86_64 cmake cmake3 go aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel \
&& dnf clean all
RUN systemctl enable docker
@@ -24,6 +24,13 @@ RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
&& cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx \
&& rm -rf uid2-aws-enclave-vsockproxy
+RUN git clone https://github.com/containers/gvisor-tap-vsock.git \
+ && cd gvisor-tap-vsock \
+ && make \
+ && cd .. \
+ && cp gvisor-tap-vsock/bin/gvproxy ./gvproxy \
+ && cp gvisor-tap-vsock/bin/gvforwarder ./gvforwarder
+
COPY ./scripts/aws/pipeline/aws_nitro_eif.sh /aws_nitro_eif.sh
CMD ["/usr/sbin/init"]
diff --git a/scripts/aws/pipeline/enclave-cli-1.5.3rc.zip b/scripts/aws/pipeline/enclave-cli-1.5.3rc.zip
new file mode 100644
index 000000000..c1f568a72
Binary files /dev/null and b/scripts/aws/pipeline/enclave-cli-1.5.3rc.zip differ
diff --git a/scripts/aws/proxies.nitro.yaml b/scripts/aws/proxies.nitro.yaml
index 0f459b150..23eaa9688 100644
--- a/scripts/aws/proxies.nitro.yaml
+++ b/scripts/aws/proxies.nitro.yaml
@@ -1,10 +1,4 @@
---
-
-uid-operator-in:
- service: direct
- listen: vsock://-1:8080
- connect: tcp://127.0.0.1:8080
-
prometheus-server:
service: direct
listen: vsock://-1:9080